LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora reexamines "trusted boot"

Fedora reexamines "trusted boot"

Posted Jul 3, 2011 12:13 UTC (Sun) by alonz (subscriber, #815)
In reply to: Fedora reexamines "trusted boot" by brendan_wright
Parent article: Fedora reexamines "trusted boot"

I'm afraid I have to disagree with you, at least partially…

For example, you write
> It may not prevent compromise but the idea is it can reveal it through remote attestation
Here you are assuming that the main purpose of the system is access to some (single!) remote service, which can perform the attestation often enough to matter. But this isn't the case for most modern uses, especially when even “connected” devices often use cellular (= intermittent) connections.

Likewise,
> The idea is that the signing process continues after boot and no code is run without first being checked
This assumes a completely closed software ecosystem—which, again, is far from the normal case in almost all modern use-cases.

The concepts of “trusted boot” looked OK on paper, in the context of early security research (which dealt with monolithic managed systems, when software distributions were small and organizations were large). But they don't fit most modern use cases.

(Log in to post comments)

Fedora reexamines "trusted boot"

Posted Jul 4, 2011 2:31 UTC (Mon) by brendan_wright (subscriber, #7376) [Link]

> Here you are assuming that the main purpose of the system is access to some (single!) remote service, which can perform the attestation often enough to matter. But this isn't the case for most modern uses, especially when even “connected” devices often use cellular (= intermittent) connections.

If a firewall is setup to check the security of severs or desktops siting behind it, it can take them offline as soon as they fail a trust check. A mobile device like an Android integrates with online systems such as the update system that could in theory perform such checks for you (alerting your by email perhaps). A lot is possible if the software can be sorted properly...

> > The idea is that the signing process continues after boot and no code is run without first being checked

> This assumes a completely closed software ecosystem—which, again, is far from the normal case in almost all modern use-cases.

Really? Don't many distros and Anrdoid already only download correctly signed code updates by default? Linux is already much more "closed" or at least "centralized" in one sense than Windows in that most software is installed via apt-get or whatever.

It's not hard to imagine extending this framework to include the TPM, so that your system can attest it is running the code as provided by the update servers, not some code compromised in transit or after it was installed on your machine.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds